The run-up to the end of 2022 has seen three significant data breaches occur, each one due to a vulnerability in the set-up of the company. These have been reviewed by leading analysts and unique perspectives offered to Digital Journal.
With the first case, the Play ransomware gang have claimed responsibility for a cyberattack on H-Hotels. This left staff without access to email and the hotel group’s name has appeared on Play’s dark web victim blog, with the group stating it has a trove of data, including guest passport details.
Nick Tausek, Lead Security Automation Architect at Swimlane tells Digital Journal that this new player in the cyber-war should not be under-estimated.
Tausek explains: “Even though the Play ransomware gang is a relatively new group, it has solidified its reputation as a significant threat, claiming responsibility for devastating attacks against Argentina’s Judiciary of Córdoba in August and Belgium’s city of Antwerp several weeks ago. Now, it has claimed responsibility for attacks against a major European hotel chain, H-Hotels, that has caused communications outages at the height of the travel and holiday season. More significantly, the gang has claimed to have stolen the personal data of hotel customers, potentially exposing victims to further fraud and scams.”
Tausek notes that these criminals are seeking out sectors where security has traditionally been weak: “While Play had previously focused on attacking local governments that have limited cybersecurity infrastructure in place, it is important to note that the group was able to infiltrate an extensive protection network, signifying that Play has developed capabilities to launch more professional attacks.”
There are lessons to be learned and measures that can be taken to decrease the risk of these types of attacks being successful in the future. Tausek observes: “To mitigate the chances of similar attacks in the future, it is imperative that organizations adopt low-code security automation to help detect and respond to threats in real-time by allowing complete visibility into IT environments. Endpoint security tools that integrate low-code security automation give organizations a cohesive protection strategy that protects customers and employees as well as keeps essential communications systems up and running.”
With the second news item, a malicious package published on the Python Package Index (PyPI), impersonating a software development kit SentinelOne to steal data.
In relation to this, Jason Kent, Hacker in Residence at Cequence Security, explains to Digital Journal what the main vulnerability in relation to this attack is.
Kent explains: “When looking to find magic keys to the kingdom, for an organization, the attacker is going to look where the API Keys are. Since you can’t get API Keys from Developers just by using Charm and Personality. Like Willie, you have to employ the right weapons.”
Kent adds: “It is possible to crawl through git repos and find API keys, we read about these sorts of attacks all the time. What if you could put some context around the API keys and harvest keys from organizations that will have specific technology deployed? Enter the world of API Key harvesting SDKs that mimic SDKs from well-known security companies. This gives us the ability to contextually harvest API keys from those that are running the technology we care about.”
Kent expands upon the vulnerability, noting: “Fortunately for us, this was noticed. Unfortunately, this is what we are now up against. Everything we do and every tool we use needs to be validated. Any API Key we use needs to be invalidated and regenerated every time we need it. The days of having high-privilege API keys that last forever, need to go away into the past. If someone can write code that can harvest API Keys from our own code, we need to stop allowing API Keys to last more than a few minutes.”
Kent also looks at the third case. Here, Social Blade, the social media analytics platform, has suffered a data breach and confirmed its database has been put up for sale on a hacking forum.
Kent says that the vulnerability that led to the attack was part of an inherent weakness: “Even the smallest of flaws, if they go unnoticed, can compound into a huge problem for an organization. Without knowing the exact nature of the flaw we can assume it allowed full access to the Database as this is what the attacker had after running the breach. The overall response here was excellent including resetting passwords and flushing API keys as well as addressing the flaw.”
Drawing parallels with the second incident, Kent adds: “Had the accounts or API keys been compromised and left valid, the damage could have been much worse. Imagine having administrative access at the level of every one of their customers. They could sell social analytics to anyone for any purpose including reputational and/or brand damage.”
Moving on to the knock-on effect of this Kent warns: “now the people that possess the database know a good credential set to try on other platforms.”
